[cesarb]

Notice that, in your example, they are different servers. Not only that, but "dl.google.com" is most probably a cluster of servers spread all over the world. If an attacker somehow compromises one of the servers behind "dl.google.com", those unlucky to use that particular server could receive a malicious package; but if they compare the hash or signature with what "golang.org" says should be the correct one, they will notice that something's not right (and can warn others, and/or compare the malicious package with a legitimate one obtained elsewhere). The main server ("golang.org" in this case) is usually considered more trusted than the download mirrors (and is often in a single location, not mirrored all over the world).